Under the new rules, measures for 5G cybersecurity would become mandatory.
The post EU Plans Phase Out of High Risk Telecom Suppliers, in Proposals Seen as Targeting China appeared first on SecurityWeek.
CISA and international partners issued new guidance on securing AI in operational technology, warning of OT risks and urging stronger governance and safeguards.
The post CISA Issues New AI Security Guidance for Critical Infrastructure appeared first on TechRepublic.
CISA and international partners issued new guidance on securing AI in operational technology, warning of OT risks and urging stronger governance and safeguards.
The post CISA Issues New AI Security Guidance for Critical Infrastructure appeared first on TechRepublic.
Security researcher Jon “Gainsec” Gaines and YouTuber Benn Jordan discuss their examination of Flock Safety’s AI-powered license plate readers and how cost-driven design choices, outdated software, and weak security controls expose them to abuse.
The post AI Surveillance: Unmasking Flock Safety’s Insecurities appeared first on The Security Ledger with Paul F. Roberts.
For decades, the federal government has relied on sector-specific regulations to safeguard critical infrastructure. As an example, organizations including the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) set standards for the energy sector, while the Transportation Security Administration issues pipeline directives and the Environmental Protection Agency makes water utility rules.
While these frameworks were designed to protect individual sectors, the digital transformation of operational technology and information technology has made such compartmentalization increasingly risky.
Today, the boundaries between sectors are blurring – and the gaps between their governance frameworks are becoming attackers’ entry points.
The problem is the lack of harmony.
Agencies are enforcing strong but disconnected standards, and compliance often becomes an end in and of itself, rather than a pathway to resilience.
With the rollout of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) and the release of the National Institute of Standards and Technology’s Cybersecurity Framework 2.0, the United States has an opportunity to modernize oversight, making it more adaptive, consistent and outcome based.
Doing so will require a cultural shift within federal governance: from measuring compliance to ensuring capability.
Overlapping mandates, uneven protection
Every critical infrastructure sector has its own set of cybersecurity expectations, but those rules vary widely in scope, maturity and enforcement. The Energy Department may enforce rigorous incident response requirements for electric utilities, while TSA might focus its directives on pipeline resilience. Meanwhile, small water utilities, overseen by the EPA, often lack the resources to fully comply with evolving standards.
This uneven terrain creates what I call “regulatory dissonance.” One facility may be hardened according to its regulator’s rulebook, while another connected through shared vendors or data exchanges operates under entirely different assumptions. The gaps between these systems can create cascading risk.
The 2021 Colonial Pipeline incident illustrated how oversight boundaries can become national vulnerabilities. While the energy sector had long operated under NERC CIP standards, pipelines fell under less mature guidance until TSA introduced emergency directives after the fact. CIRCIA was conceived to close such gaps by requiring consistent incident reporting across sectors. Yet compliance alone won’t suffice if agencies continue to interpret and implement these mandates in isolation.
Governance as the common language
Modernizing oversight requires more than new rules; it requires shared governance principles that transcend sectors. NIST’s Cybersecurity Framework 2.0 introduces a crucial element in this direction: the new “Govern” function, which emphasizes defining roles, responsibilities and decision-making authority within organizations. This framework encourages agencies and their partners to move from reactive enforcement toward continuous, risk-informed governance.
For federal regulators, this presents an opportunity to align oversight frameworks through a “federated accountability” model. In practice, that means developing consistent taxonomies for cyber risk, harmonized maturity scoring systems and interoperable reporting protocols.
Agencies could begin by mapping common controls across frameworks, aligning TSA directives, EPA requirements and DOE mandates to a shared baseline that mirrors NIST Cybersecurity Framework principles. This kind of crosswalk not only streamlines oversight, but also strengthens public-private collaboration by giving industry partners a clear, consistent compliance roadmap.
Equally important is data transparency. If the Cybersecurity and Infrastructure Security Agency , DOE and EPA share a common reporting structure, insights from one sector can rapidly inform others. A pipeline incident revealing supply chain vulnerabilities could immediately prompt water or energy operators to review similar controls. Oversight becomes a feedback loop rather than a series of disconnected audits.
Engineering resilience into policy
One of the most promising lessons from the technology world comes from the “secure-by-design” movement: Resilience cannot be retrofitted. Security must be built into the design of both systems and the policies that govern them.
In recent years, agencies have encouraged vendors to adopt secure development lifecycles and prioritize vulnerability management. But that same thinking can, and should, be applied to regulation itself. “Secure-by-design oversight” means engineering resilience into the way standards are created, applied and measured.
That could include:
Such modernization would not only enhance accountability but also reduce the compliance burden on operators who currently navigate multiple, sometimes conflicting, reporting channels.
Making oversight measurable
As CIRCIA implementation begins in earnest, agencies must ensure that reporting requirements generate actionable insights. That means designing systems that enable real-time analysis and trend detection across sectors, not just retrospective compliance reviews.
The federal government can further strengthen resilience by integrating incident reporting into national situational awareness frameworks, allowing agencies like CISA and DOE to correlate threat intelligence and issue rapid, unified advisories.
Crucially, oversight modernization must also address the human dimension of compliance. Federal contractors, third-party service providers and local operators often sit at the outer edge of regulatory reach but remain central to national resilience. Embedding training, resource-sharing and technical assistance into federal mandates can elevate the entire ecosystem, rather than penalizing those least equipped to comply.
The next step in federal cyber strategy
Effective harmonization hinges on trust and reciprocity between government and industry. The Joint Cyber Defense Collaborative (JCDC) has demonstrated how voluntary partnerships can accelerate threat information sharing, but most collaboration remains one-directional.
To achieve true synchronization, agencies must move toward reciprocal intelligence exchange, aggregating anonymized, cross-sector data into federal analysis centers and pushing synthesized insights back to operators. This not only democratizes access to threat intelligence, but also creates a feedback-driven regulatory ecosystem.
In the AI era, where both defenders and attackers are leveraging machine learning, shared visibility becomes the foundation of collective defense. Federal frameworks should incorporate AI governance principles, ensuring transparency in data usage, algorithmic accountability and protection against model exploitation, while enabling safe, responsible innovation across critical infrastructure.
A unified future for resilience governance
CIRCIA and NIST Cybersecurity Framework 2.0 have laid the groundwork for a new era of harmonized oversight — one that treats resilience as a measurable capability rather than a compliance checkbox.
Achieving that vision will require a mindset shift at every level of governance. Federal regulators must coordinate across agencies, industry partners must participate in shaping standards, and both must view oversight as a dynamic, adaptive process.
When frameworks align, insights flow freely, and regulations evolve as quickly as the threats they are designed to mitigate, compliance transforms from a bureaucratic exercise into a national security asset. Oversight modernization is the blueprint for a more resilient nation.
Dr. Jerome Farquharson is managing director and senior executive advisor at MorganFranklin Cyber.
The post Harmonizing compliance: How oversight modernization can strengthen America’s cyber resilience first appeared on Federal News Network.
© The Associated Press
After years of exploiting zero-day and n-day vulnerabilities, Russian state-sponsored threat actors are shifting to misconfigured devices.
The post Amazon: Russian Hackers Now Favor Misconfigurations in Critical Infrastructure Attacks appeared first on SecurityWeek.
Cyber attacks on water infrastructure are growing. Josh Corman of IAmTheCavalry joins us to discuss efforts to secure critical water systems.
The post Cyber Threats to Water Infrastructure: Insights from Josh Corman appeared first on The Security Ledger with Paul F. Roberts.
OPINION — Ransomware attacks conducted by criminals are persistently hitting airports, schools, and 911 dispatch centers, while foreign adversaries probe our critical infrastructure every day. Yet, two programs designed to build national cyber readiness to combat these threats — one that underpins public-private threat sharing, the other that builds local cyber defenses — have now expired. Congress’s inaction amid the government shutdown has left a widening gap in America’s cyber defenses.
Nearly a decade ago, Congress passed the Cybersecurity Information Sharing Act of 2015 (CISA 2015) to encourage private companies and government agencies to voluntarily share cyber threat indicators, which officially expired on September 30. It was a bipartisan response to rising state-sponsored hacking campaigns, and it provided a legal framework — and protections — that still govern how threat data flows across public and private networks today.
This legal framework supports everything from classified alerts and incident reports to real-time information exchange across sectors like energy, transportation, and healthcare. Without it, experts warn that information sharing between companies and the federal government could drop by as much as 80 percent, severely degrading national cyber situational awareness.
Before the shutdown, steps toward a full reauthorization were underway, with bipartisan support in both chambers – but the process has now stalled entirely. One proposal, however, threatened to undermine the goals of the law. Senate Homeland Security Committee Chair Rand Paul’s (R-KY) version of CISA 2015 renewal would gut key legal protections — including liability and FOIA safeguards — and inject surveillance-related restrictions that have no place in cybersecurity law. His version would kill the trusted framework that enables timely, voluntary sharing of threat intelligence data, not improve it.
A more responsible path is already on the table. In early September, the House Homeland Security Committee Chair, Representative Andrew Garbarino (R-NY), introduced the Widespread Information Management for the Welfare of Infrastructure and Government Act, which would reauthorize CISA 2015 for ten years. It also includes a new outreach mandate to ensure that small and rural critical infrastructure owners and operators understand how to participate in information sharing efforts.
Meanwhile, the second program that expired is the State and Local Cybersecurity Grant Program (SLCGP) created through the 2021 bipartisan infrastructure law. Unlike CISA 2015, which supports federal-private coordination, this program was designed to build basic cyber capacity at the state and local level. It pushed state and local governments to create cybersecurity plans, conduct assessments, and adopt best practices – and provided the funding to put those plans into action. For many jurisdictions, this was their first real investment in cyber defense.
So far, the program has backed over 800 projects across 33 states and territories, totaling $838 million. In Utah, grant-funded tools helped stop a ransomware attack on a major airport and a 911 emergency dispatch center. In Maryland, it funded coordinated efforts across 40 counties. The program is not perfect — uneven cost-sharing requirements and bureaucratic restrictions limit its reach to smaller communities. But the results are clear: state officials say these projects “would not have been possible” without the SLCGP funding. This focus on state and local leadership on cybersecurity readiness is exactly what President Trump called for in his May 2025 Executive Order.
The Cipher Brief brings expert-level context to national and global security stories. It’s never been more important to understand what’s happening in the world. Upgrade your access to exclusive content by becoming a subscriber.
With the SLCGP expired as of August 31, that momentum is now in jeopardy. Without new funding, states and municipalities — especially those without dedicated cybersecurity teams — will be forced to pause cybersecurity initiatives. The result is not just slower progress, but a direct weakening of our national cyber posture. Alongside Rep. Garbarino’s bill, Representative Andy Ogles (R-TN) introduced the Protecting Information by Local Leaders for Agency Resilience Act, which would reauthorize SLCGP for ten years. But the bill lacks a dedicated funding amount.
A robust reauthorization of the SLCGP must do more than simply extend the program on paper. It must ensure sufficient, stable funding over the next decade, remove restrictions that prevent states from using funds for widely relied-upon cybersecurity services, and lower cost-share requirements for small and rural jurisdictions. The “whole-of-state” model — in which state agencies coordinate shared services for local governments — must be preserved and expanded.
The House had done its part, passing both ten-year reauthorizations with bipartisan support and including temporary extensions in the continuing resolution. But the Senate failed to act, leading to an immediate lapse. Unless both measures are included in the National Defense Authorization Act for a full, long-term extension — progress will stall. Anything less is a failure to defend the American people where the threat is already inside the wire — and would amount to more collateral damage from the shutdown.
The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals.
Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.
Have a perspective to share based on your experience in the national security field? Send it to Editor@thecipherbrief.com for publication consideration.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief
EXPERT PERSPECTIVE — When we think about the arteries of global power, images of oil pipelines or shipping lanes often come to mind. They are visible, tangible, and easy to picture on a map. The digital world has its own arteries, equally vital but far less visible: undersea cables, satellites, and semiconductor supply chains. These systems allow our economies to function, our militaries to coordinate, and our societies to remain connected.
We rarely stop to consider how very fragile they are. A fiber-optic cable lying quietly on the seabed, a satellite orbiting high above, or a single Dutch firm making the machines that build the world’s most advanced chips? Each represents a potential point of failure. And when one of them falters, whether by accident or design, the consequences ripple instantly across the globe. What makes this even more concerning is that adversaries understand their potential value. They have studied the geography of our digital world with the same intensity that past powers studied maritime routes. Increasingly, they are testing ways to hold these chokepoints at risk, not in open war, but in the murky space called the gray zone.
Consider the seabed. Nearly all intercontinental internet traffic runs not through satellites, as many imagine, but along the ocean floor. The “cloud” is, in truth, anchored to the seabed. These cables are resilient in some respects, yet highly vulnerable in others. Russia has long deployed specialized vessels (such as the Yantar) to loiter near critical routes, mapping them and raising concerns about sabotage. The People’s Republic of China has taken subtler approaches. On several occasions, cables linking Taiwan’s outlying islands have been cut by Chinese vessels in incidents they described as accidental. Taipei viewed them, by contrast, as deliberate acts of pressure that left communities offline for weeks.
Nature has been no less disruptive. A volcanic eruption severed Tonga’s only international cable in 2022, cutting off connectivity entirely. A landslide off Côte d’Ivoire in 2024 damaged four cables at once, leaving more than a dozen African states scrambling to restore service. These episodes remind us that chokepoints need not be destroyed to reveal their importance.
For China, the issue is a strategic one. Through its Digital Silk Road initiative, Beijing has financed and built cables across Asia, Africa, and Europe. Chinese firms now sit at landing stations and repair depots. In times of peace these investments look like connectivity. In times of crisis, they can become instruments of leverage or coercion.
Sign up for the Cyber Initiatives Group Sunday newsletter, delivering expert-level insights on the cyber and tech stories of the day – directly to your inbox. Sign up for the CIG newsletter today.
The same logic applies in orbit. Satellites and global navigation systems act as the nervous system of modern life. They time banking transactions, guide aircraft, and support military operations. Disrupting them unsettles the rhythms of daily existence. Russia previewed this dynamic in 2022 when it launched a cyberattack against the Viasat KA-SAT network on the first day of its invasion of Ukraine. Thousands of modems across Europe went dark, cutting off critical communications. More routinely, Russian jamming and spoofing around Kaliningrad and Moscow have disoriented navigation systems, with civilian pilots suddenly reporting the loss of GPS mid-flight.
China has created its own path through BeiDou, a rival to GPS that is already woven into infrastructure and commerce across large swaths of the world. Countries adopting BeiDou for civilian uses also create dependencies that, in a crisis, could become channels of influence. China’s so-called inspector satellites, capable of shadowing Western systems in orbit, serve as a reminder that the domain is contested and difficult to police. Jamming, spoofing, or orbital surveillance are rarely attributable in real time. They can be dismissed as interference or technical glitches even when deliberate. That ambiguity is precisely what makes them effective tools of gray-zone leverage.
Vulnerability also extends to the factories that produce the silicon chips powering the digital age. No chokepoint illustrates fragility more starkly than semiconductors. Advanced chips are the foundation of artificial intelligence, modern weapons systems, consumer electronics, modern automobiles, and more. Yet their production is concentrated in very few hands. One company in Taiwan manufactures most of the world’s leading-edge chips. A single Dutch firm produces the extreme ultraviolet lithography machines needed to make them. And China has demonstrated repeatedly how control over upstream minerals can be wielded as leverage. Restrictions on gallium, germanium, and graphite have caused immediate price spikes and sent Western companies scrambling for alternatives.
The global chip shortage during the pandemic provided a glimpse of how disruption can have cascading impacts. Automotive plants shut down, electronics prices soared, and entire supply chains stalled. That was the result of market forces. In a geopolitical crisis, disruption would be intentional, targeted, and likely more devastating.
The Cipher Brief brings expert-level context to national and global security stories. It’s never been more important to understand what’s happening in the world. Upgrade your access to exclusive content by becoming a subscriber.
None of these vulnerabilities exist in isolation. Together, they form part of a broader and comprehensive strategy, particularly for China, where digital infrastructure has become a deliberate instrument of national power. Through the Digital Silk Road, through export controls on critical minerals, through investments in semiconductor capacity, through an ambitious national AI strategy, and BeiDou’s global adoption, Beijing is systematically building positions of leverage.
Is this preparation for an open assault on global systems? Maybe not, but it is a strategy designed for options in the gray zone. By holding digital chokepoints at risk, China can complicate allied decision-making and cast doubt on the reliability of critical systems, thereby slowing or obstructing responses at moments when speed is decisive. The ambiguity of each incident – whether it appears to be an accident, a policy choice, or something more calculated – becomes a tool of coercion.
The reality is that these risks cannot be eliminated. The very efficiency of the digital age depends on concentration. A single company leads in chipmaking, a limited set of satellites provides global timing, and relatively few cables carry the world’s data vast distances across the open ocean. Efficiency brings tremendous capability, but it also brings fragility. And fragility invites exploitation.
The counterweight must be resilience. That means redundant routes and suppliers, pre-positioned repair capacity, diversified supply chains, hardened infrastructure, and rehearsed recovery plans. The point is to recover and regain capacity as quickly as possible. To do so requires deeper public-private partnerships and closer coordination among allies, since no nation can protect these domains on its own. Resilience is not a one-time investment but a cultural shift. A culture that assumes disruption will come, prepares for it, and ensures that no single outage or shortage can paralyze us.
History offers some perspective. Nations once fought to control straits, canals, and oil fields. They still do so today, but increasingly our chokepoints are digital, hidden from sight yet just as consequential. Whoever shapes them, shapes the balance of global power.
Global stability today depends on foundations that are often invisible. Fiber-optic cables under the sea, satellites crossing the skies, and factories producing chips with microscopic precision form the backbone of our digital age. They showcase human ingenuity while highlighting profound vulnerabilities. Recognizing the duality of innovation’s promise alongside its fragility may be the most important step toward protecting what matters most in the digital age. And, yes, we must defend these technologies. But it’s about something bigger. It’s about ensuring that the digital world we depend on remains a source of strength, and not a lever of coercion.
All statements of fact, opinion, or analysis expressed are those of the author and do not reflect the official positions or views of the U.S. Government. Nothing in the contents should be construed as asserting or implying U.S. Government authentication of information or endorsement of the author's views.
The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals.
Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.
Have a perspective to share based on your experience in the national security field? Send it to Editor@thecipherbrief.com for publication consideration.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief
The Cipher Brief's Special Report on Nat Sec EDGE 2025
The Nat Sec EDGE 2025 conference took place June 5–6, 2025 in Austin, Texas.
Foreword
The 2025 Nat Sec EDGE Conference brought together a diverse coalition of leaders from government, industry, investment, and innovation to confront a shared reality: America’s national security advantage is eroding-and our ability to adapt at speed will determine the outcome of future conflicts.
Across two days of discussions, senior officials, technologists, operators, and investors delivered a clear message: the U.S. is engaged in an unprecedented strategic competition with near-peer adversaries who are moving faster, with fewer constraints, in an effort to achieve dominance in emerging domains. While the U.S. still holds an innovation edge, our traditional systems for acquisition, classification, and risk management are too slow, too fragmented, and too siloed to respond to the velocity of today’s threats.
What emerged from this gathering in Austin, TX was not just urgency-but clarity. The U.S. needs a new model for national security innovation-one built around speed, trust, integration, and mission-first execution. This means enabling “new primes” that can move at the pace of technology, equipping the defense industrial base with secure pathways to scale, and empowering operators and decision-makers with the tools to bridge policy, procurement, and operational need.
It also means recognizing that the problem is no longer technological- it’s sociological. The innovation exists. The capital exists. The threat is clear. What’s missing are the connective tissues: the incentives, partnerships, and trust frameworks that can accelerate solutions from concept to deployment.
This report captures the most critical messages and moments from Nat Sec EDGE. It is intended as both a record and a roadmap-for those shaping the future of American security.
Suzanne Kelly, Brad Christian, Ethan Masucol and Connor Curfman contributed to this report.
Sign up for the Cyber Initiatives Group Sunday newsletter, delivering expert-level insights on the cyber and tech stories of the day – directly to your inbox. Sign up for the CIG newsletter today.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief because National Security is Everyone’s Business.
Varun Uppal, founder and CEO of Shinobi Security Over the weekend, airports across Europe were thrown into chaos after a cyber-attack on one of their technology suppliers rippled through airline...
The post When Airports Go Dark: What The Weekend’s Cyber-attacks Tell Us About Business Risk appeared first on Cyber Defense Magazine.
PinnacleOne recently partnered with a leading UK construction company to analyze the cybersecurity risks shaping the sector in 2025. This new report explores how evolving threats intersect with the construction industry’s unique challenges, including tight project timelines, complex supply chains, sensitive data, and high-value transactions. Aimed at CISOs and security leaders, it provides actionable guidance to balance opportunity with resilience, ensuring construction firms stay secure while building the nation’s future.
The UK construction sector is a vital part of the national economy, contributing approximately 5.4% of GDP and employing around 1.4 million people. However, this critical industry is increasingly the target of cyber threat actors seeking financial gains and espionage.
PinnacleOne recently collaborated with a UK construction company to review these trends and bolster their cyber strategy. In a new report, PinnacleOne synthesizes key recommendations for construction sector cyber strategy to help CISOs stay ahead of the threat.
The construction industry’s core characteristics make it a uniquely enticing target for cyber threat actors:
For construction companies, cyber risk is inherently business risk. Cyber incidents can directly impact project timelines, budgets, and even the safety and structural integrity of the built environment. The interconnected nature of the construction ecosystem means that attackers can leverage any exposed point of entry. This, combined with slim profit margins and inconsistent cybersecurity investments, elevates the risk profile for the entire industry.
By adopting a proactive, risk-based cybersecurity approach, construction firms can strengthen their resilience and protect operational continuity and client trust. Read the full report here.
by Gary Miliefsky, Publisher, Cyber Defense Magazine Every year, Black Hat showcases not just the latest innovations and products from the cybersecurity industry but also the presence of major government...
The post Federal Agency Makes Steampunk Appearance at Black Hat 2025 appeared first on Cyber Defense Magazine.
A new, critical zero-day vulnerability dubbed “ToolShell” (CVE-2025-53770) poses a significant threat to on-premises SharePoint Server deployments. This vulnerability enables unauthenticated remote code execution (RCE), posing a significant risk to organizations worldwide. SentinelOne has detected exploitation in the wild, elevating the active threat posed by this new attack and the importance of organizations taking mitigative action as soon as possible.
In this blog, we outline ways to defend against ToolShell and how SentinelOne keeps you ahead of the curve for this critical vulnerability. For a comprehensive technical breakdown of this threat, we published a detailed analysis on the SentinelOne blog.
ToolShell is a critical zero-day remote code execution vulnerability impacting on-premises SharePoint Servers. Its severity stems from several key characteristics:
At SentinelOne, our commitment to proactive security means we are constantly working to identify and neutralize emerging threats, such as ToolShell, often before they become widespread news. SentinelOne was aware and working to defend our customers from ToolShell two days prior to the public announcement of the vulnerability. This integrated approach ensures that SentinelOne customers are protected from the outset:
Given the critical nature of ToolShell, we strongly recommend that organizations implement a multi-layered defense strategy. Proactive measures are crucial to mitigate the risk of compromise:
Immediate Mitigation & Patching:
Enhanced Detection and Monitoring:
ToolShell represents a significant vulnerability that leaves many organizations running on-premises SharePoint Server at considerable risk. The potential for unauthenticated remote code execution, coupled with observed in-the-wild exploitation, underscores the urgent need for organizations to take decisive action to maintain their security posture. This includes diligently applying patches, implementing robust monitoring, and leveraging advanced threat detection capabilities to mitigate the risk.
For SentinelOne customers, you can rest assured that you are protected. Our dedicated threat research and MDR teams work tirelessly to stay one step ahead of adversaries, ensuring that our platform provides immediate and effective defense against emerging threats, such as ToolShell. Our proactive identification, rapid deployment of detection logic, and continuous sharing of intelligence empower our customers to maintain a resilient security posture.
Contact SentinelOne today to learn how our AI-powered security platform can provide the comprehensive protection and peace of mind your organization deserves. Don’t wait for the next zero-day; secure your future today.
SHA-1
f5b60a8ead96703080e73a1f79c3e70ff44df271 – spinstall0.aspx webshell
fe3a3042890c1f11361368aeb2cc12647a6fdae1 – xxx.aspx webshell
76746b48a78a3828b64924f4aedca2e4c49b6735 – App_Web_spinstall0.aspx.9c9699a8.avz5nq6f.dll, a compiled version of spinstall0.aspx
IP Addresses
96.9.125[.]147 – attacker IP from “no shell” cluster
107.191.58[.]76 – attacker IP used in 1st wave of spinstall0.aspx cluster
104.238.159[.]149 – attacker IP used in 2nd wave of spinstall0.aspx cluster
//Suspicious SharePoint Activity dataSource.name = 'SentinelOne' and endpoint.os = "windows" and event.type = "Process Creation" and src.process.parent.name contains "svchost.exe" and src.process.name contains "w3wp.exe" and tgt.process.name contains "cmd.exe" and src.process.cmdline contains "SharePoint" //spinstall0.aspx execution traces dataSource.name = 'SentinelOne' and endpoint.os = "windows" and event.type = "Process Creation" and src.process.name contains "csc.exe" and tgt.file.path contains "App_Web_spinstall0.aspx"
All third-party product names, logos, and brands mentioned in this publication are the property of their respective owners and are for identification purposes only. Use of these names, logos, and brands does not imply affiliation, endorsement, sponsorship, or association with the third-party.
On July 19th, Microsoft confirmed that a 0-day vulnerability impacting on-premises Microsoft SharePoint Servers, dubbed “ToolShell” (by researcher Khoa Dinh @_l0gg), was being actively exploited in the wild. This flaw has since been assigned the identifier CVE‑2025‑53770, along with an accompanying bypass tracked as CVE‑2025‑53771. These two new CVEs are being used alongside the previously patched CVEs (49704/49706) which were patched on July 8th, with PoC code surfacing by July 14th.
The advisory also confirmed emergency patches for on-prem SharePoint Subscription Edition and SharePoint Server 2019, with updates scheduled for version 2016 as well. We strongly recommend immediate patching, and following Microsoft’s recommendations of enabling AMSI detection, rotating ASP.NET machine keys, and isolating public-facing SharePoint servers until defenses are in place.
SentinelOne first observed ToolShell exploitation on July 17th, ahead of official Microsoft advisories. Since then, we’ve identified three distinct attack clusters, each with unique tradecraft and objectives. In this blog, we unpack the timeline, explore these clusters, and equip defenders with best-practice mitigation strategies. At this time, we provide no attribution beyond this early clustering as research is ongoing.
We have observed initial ToolShell exploitation against high value organizations, with victims primarily in technology consulting, manufacturing, critical infrastructure, and professional services tied to sensitive architecture and engineering organizations. The early targets suggest that the activity was initially carefully selective, aimed at organizations with strategic value or elevated access.
The attacks that we describe in this report were targeted in nature and occurred before public disclosure of the vulnerability spurred mass exploitation efforts from a wider set of actors. We expect broader exploitation attempts to accelerate, driven by both state-linked and financially motivated actors seeking to capitalize on unpatched systems.
SentinelOne has observed multiple state-aligned threat actors, unrelated to the first wave of exploitation, beginning to engage in reconnaissance and early-stage exploitation activities. Additionally, we’ve also identified actors possibly standing up decoy honeypot environments to collect and test exploit implementations , as well as sharing tooling and tradecraft across known sharing platforms. As awareness spreads within these communities, we expect further weaponization and sustained targeting of vulnerable SharePoint infrastructure.
Both previously patched CVEs (49704/49706) were first disclosed at Pwn2Own Berlin. It was later discovered that these two flaws could be paired together to produce the full RCE ‘ToolShell’ attack chain. The name ‘ToolShell’ refers to the initial abuse of SharePoint’s /ToolPane.aspx (CVE-2025-49704), a system page used for website configuration and management.
This vulnerability chain enables unauthenticated remote code execution by sending a crafted POST request to the URI /layouts/15/ToolPane.aspx?DisplayMode=Edit, exploiting a logic flaw in the Referer header validation. This bypass allows attackers to access SharePoint’s ToolPane functionality without authentication, ultimately leading to code execution via uploaded or in-memory web components.
On July 18th, 2025 at 09:58 GMT, SentinelOne observed a single exploitation attempt where the attacker dropped a custom password-protected ASPX webshell named xxx.aspx. This activity appears to be hands-on and exploratory in nature, likely performed by a human operator rather than an automated script.
The webshell was written to the following path:
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\xxx.aspx
This webshell provides a basic HTML interface allowing three primary functions:
LoginGTaRkhJ9wz parameter, which are run via cmd.exe and returned to the client.0z3H8H8atO (file) and 7KAjlfecWF (destination path).The shell leverages basic obfuscation and validation mechanisms, including cookie-based authentication and a hardcoded SHA512 hash to restrict access. The password check logic suggests the actor anticipated repeated or remote usage of the shell.
After the webshell was dropped, the attacker issued the following commands:
cmd.exe /c whoami > c:\progra~1\common~1\micros~1\webser~1\16\template\layouts\info.js
The first attempt to redirect the whoami output failed due to a typo (\templa), indicating the activity was likely manual and exploratory. The corrected second command successfully writes the output of whoami into a web-accessible .js file, a common tactic for validating command execution and potentially retrieving output through a browser.
While this activity was limited to a single observed instance, the customized tooling and interactive behavior suggest a deliberate post-exploitation attempt by a threat actor testing or preparing for broader operations.
SentinelOne observed two distinct waves of activity involving a consistent final payload, spinstall0.aspx, dropped across SharePoint environments from different attacker infrastructure on July 18 and 19, 2025. While the initial dropper scripts varied slightly between waves, both resulted in deployment of the same webshell, designed to extract and expose sensitive cryptographic material from the host.
Source IP: 107.191.58[.]76
This initial wave involved PowerShell-based payload delivery. A base64-encoded blob was decoded and written to the SharePoint LAYOUTS directory:
$base64String = [REDACTED] $destinationFile = "C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx" $decodedBytes = [System.Convert]::FromBase64String($base64String) $decodedContent = [System.Text.Encoding]::UTF8.GetString($decodedBytes) $decodedContent | Set-Content -Path $destinationFile -ErrorAction Stop
The resulting file, spinstall0.aspx, is not a traditional command webshell but rather a reconnaissance and persistence utility:
<%@ Import Namespace="System.Diagnostics" %> <%@ Import Namespace="System.IO" %>
This code extracts and prints the host’s MachineKey values, including the ValidationKey, DecryptionKey, and cryptographic mode settings—information critical for attackers seeking to maintain persistent access across load-balanced SharePoint environments or to forge authentication tokens.
Source IP: 104.238.159[.]149
Roughly 12 hours later, a second wave used nearly identical logic to deliver the same spinstall0.aspx payload. The key difference was in the PowerShell staging script:
$b = [REDACTED] $c = "C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\15\TEMPLATE\LAYOUTS\spinstall0.aspx" $d = [System.Convert]::FromBase64String($b) $e = [System.Text.Encoding]::UTF8.GetString($d) $e | Set-Content -Path $c -ErrorAction Stop Start-Sleep -s 3
While the encoded payload was marginally different in form, it decoded to the same spinstall0.aspx shell. The change in target directory, from 16\TEMPLATE to 15\TEMPLATE, may reflect testing across different SharePoint versions or environments.
Unlike more interactive webshells observed in this campaign, spinstall0.aspx does not support command execution or file upload. Instead, its singular purpose appears to be information gathering, specifically targeting cryptographic secrets that could be reused to forge authentication or session tokens across SharePoint instances.
Given the uniqueness and strategic value of the MachineKey data harvested by this shell, we assess this cluster to be part of a broader effort to establish durable access into high-value SharePoint deployments.
This activity cluster, tracked as “no shell”, represents a more advanced and stealthy approach compared to others in this campaign. SentinelOne observed this cluster operating between July 17, 2025 10:35:04 GMT and July 18, 2025 03:51:29 GMT, making it our earliest known exploitation of CVE-2025-53770 in the wild.
Unlike the other clusters, no persistent webshells were written to disk. Instead, telemetry and behavioral indicators suggest the attackers relied on in-memory .NET module execution, avoiding traditional file-based artifacts entirely. This approach significantly complicates detection and forensic recovery, underscoring the threat posed by fileless post-exploitation techniques.
All observed activity in this cluster originated from a single IP address: 96.9.125[.]147. Despite the lack of file system artifacts, compromised hosts exhibited patterns consistent with SharePoint exploitation, followed by encoded payload delivery and dynamic assembly loading via PowerShell or native .NET reflection.
Given the timing, just days after public proof-of-concept chatter began, and the sophistication of the fileless execution chain, we assess this cluster to be either a skilled red team emulation exercise or the work of a capable threat actor with a focus on evasive access and credential harvesting.
Defenders should be especially vigilant for memory-resident activity following SharePoint exploitation attempts and should employ EDR solutions capable of detecting anomalous .NET execution patterns and assembly loading.
Modern threat actors are maximizing gains from patch diffing, n-day adoption, and iterative development of exploits through fast adoption. SharePoint servers are attractive to threat actors for the high likelihood that they store sensitive organizational data. Beyond their value as a knowledge store, vulnerable SharePoint servers can be used to stage and deliver additional attack components to the victim organization for internal watering hole attacks. The ease of exploitation and potential value of the data hosted on these servers make ‘ToolShell’ a potent and dangerous attack chain.
As of this writing, SharePoint Online for Microsoft 0365 is not impacted. Our research teams have provided out-of-the-box Platform Detection rules and Hunting Queries to assist in discovering and isolating related behavior. We recommend that vulnerable organizations apply the available security updates released by Microsoft (released July 21, 2025) to mitigate the related vulnerabilities as soon as possible. SentinelOne is actively monitoring its customer base for impact and is notifying those affected as they are identified.
SHA-1
f5b60a8ead96703080e73a1f79c3e70ff44df271 - spinstall0.aspx webshell
fe3a3042890c1f11361368aeb2cc12647a6fdae1 - xxx.aspx webshell
76746b48a78a3828b64924f4aedca2e4c49b6735 - App_Web_spinstall0.aspx.9c9699a8.avz5nq6f.dll, a compiled version of spinstall0.aspx
IP Addresses
96.9.125[.]147 - attacker IP from “no shell” cluster
107.191.58[.]76 - attacker IP used in 1st wave of spinstall0.aspx cluster
104.238.159[.]149 - attacker IP used in 2nd wave of spinstall0.aspx cluster
//Suspicious SharePoint Activity dataSource.name = 'SentinelOne' and endpoint.os = "windows" and event.type = "Process Creation" and src.process.parent.name contains "svchost.exe" and src.process.name contains "w3wp.exe" and tgt.process.name contains "cmd.exe" and src.process.cmdline contains "SharePoint" //spinstall0.aspx execution traces dataSource.name = 'SentinelOne' and endpoint.os = "windows" and event.type = "Process Creation" and src.process.name contains "csc.exe" and tgt.file.path contains "App_Web_spinstall0.aspx"
All third-party product names, logos, and brands mentioned in this publication are the property of their respective owners and are for identification purposes only. Use of these names, logos, and brands does not imply affiliation, endorsement, sponsorship, or association with the third-party.
